- I use Stronghold.
- I use a strong password (32 character length, Shannon Entropy ~ 4.0) for encrypting the stronghold.
- I rotate the stronghold password on a regular basis.
- I create a daily backup of the stronghold.snapshot file.
- I keep a secure history of passwords used for recovery.
- I use a secure password management service that integrates with the server.
- I use a linux based server (best memory security).
- I have isolated my server behind a DMZ.
- Don't use SQLite.
- Don't store passwords and backups on the same device.
Simply place a snapshot file in the directory that wallet.rs expects.
You can create a new Stronghold snapshot on the fly to allow a user to leave your service and retain their key.
The procedure for changing a Stronghold password is "simple": you read a snapshot into a vault and then write it out with a new encryption password. See this code for the source.
For obvious reasons, old snapshot backups will not be "rekeyed", so you have to track your old passwords.